Stakeout: how the FBI tracked and busted a Chicago Anon

"Script kiddie"—no hacker worth his salt wants to hear the term used to describe him. Anyone with modest computer skills can cause modest havoc using other people's code fragments, scanners, and infiltration tools, but this is little more than knowing how to point a gun in the right direction and pull the trigger. It lacks art. True hacking requires a deep knowledge of computer and network security, an ability to navigate around obstacles, and the willingness to be careful enough to always hide one's tracks. The script kiddies, they might be easy targets for the feds, but the true hackers? Shadows are their home.

The Anon-affiliated hackers who broke into the private intelligence company Stratfor to release e-mails and steal credit cards certainly didn't think they were script kiddies. In an Internet Relay Chat (IRC) just after the December 2011 hack, one of the Statfor hackers (sup_g) spoke to an unidentified chatroom member (CC-3) about the accomplishment.

CC-3: but this stratfor shit was bigger shit than
CC-3: old shits
CC-3: at least it deserves no critics
@sup_g: oh yes
@sup_g: notice no one is throwing around script kiddie comments...
CC-3: this time was classy
CC-3: and thats perfect
CC-3: we produced a cool video
CC-3: we announced luzxmas
CC-3: we hacked big shit
CC-3: we donated by 1000000...
CC-3: and we destroyed a big serious intel corp
CC-3: actually just a lil bunch of ppl thinks shit on this
CC-3: like 3
CC-3: lol
@sup_g: they are just mad because of the sheer amount of
high profile people in this

The day after Christmas, sup_g had another online chat about the Stratfor hack and about some 30,000 credit card numbers that had been taken from the company. His interlocutor, CW-1, engaged in a bit of gallows humor about what might happen should they all get caught.

CW-1: hows the news looking?
@sup_g: I been going hard all night
CW-1: I heard we're all over the news papers
CW-1: you mother fuckers are going to get me raied [raided]
CW-1: HAHAHAAHA
@sup_g: we put out 30k cards, the it.stratfor.com dump, and another statement
@sup_g: dude it's big..
CW-1: if I get raided anarchaos your job is to cause havok in my honor
CW-1: <3
CW-1: sup_g:
@sup_g: it shall be so

But the raid had, in fact, already happened. CW-1 was "Sabu," a top Anon/LulzSec hacker who was in real life an unemployed 28-year old living in New York City public housing. His sixth-floor apartment had been visited by the FBI in June 2011, and Sabu had been arrested and "turned." For months, he had been an FBI informant, watched 24 hours a day by an agent and using a government issued laptop that logged everything he did.

The FBI controllers behind Sabu must have found it grimly humorous to tease sup_g with threats of arrest, but they were also using Sabu's chat for a more serious purpose—correlating the many names of sup_g.

In the log above, note how Sabu suddenly addresses sup_g by a new name, "anarchaos." It would turn out that sup_g went by many names, including "anarchaos," "burn," "yohoho," "POW," "tylerknowsthis," and "crediblethreat."

Normally, the attempt to link his various names would have raised the hacker's guard; as he confided to Sabu, someone else had once tried to link the names "yohoho" and "burn," but the hacker "never answered... I think he picked up some language similarities I've worked with [REDACTED] on other ops in the past." But this was Sabu, a sort of hacker demigod in the world of Anonymous. If you couldn't trust him, who could you trust? Sabu had even provided a server to store the stolen Statfor data, so he couldn't be a fed (in reality, he had done so at the FBI's direction).

A document distributed after the Stratfor hack totted up the hack's damage.

"The sheer amount of destruction we wreaked on Stratfor's servers is the digital equivalent of a nuclear bomb," it said. "We rooted box after box on their intranet: dumping their mysql databases, stealing their private ssh keys, and copying hundred[s] of employee e-mail spools... We laid waste to their web server, their mail server, their development server, their clearspace and srm intranet portal and backup archives."

The document also claimed that more than $500,000 had been charged to credit cards and given to "charities and revolutionary organizations."

Usernames and e-mail addresses were also released; people were exhorted to "use and abuse these password lists and credit card information to wreak unholy havoc upon the systems and personal e-mail accounts of these rich and powerful oppressors."

It was vicious, and Stratfor has not in fact fully recovered. Critics of the action, like The Atlantic, called Stratfor a "joke" organization not worth targeting, though the hackers seemed more than pleased with their work; they recently passed the company e-mails to WikiLeaks for distribution.

Whatever else it did, the hack certainly brought renewed attention to hackers like sup_g. But first, the FBI had to find them.

While sup_g may indeed have been a "credible threat," he was in the end no match for the overwhelming federal resources of the FBI agents hunting him down. Over the last month, federal agents staked out his home in Chicago constantly, dug up old police surveillance records, tapped his Internet connection, used directional wireless finders to locate and identify his wireless router, and relied on Sabu back in his New York City apartment to let them know when sup_g went on or offline.

Despite his many precautions taken, the FBI moved into Chicago's Bridgeport neighborhood last night and arrested a 27-year old dreadlocked white guy said to hate racism so much that he had once violently attacked a Holocaust denier. Here's how the feds found him.

Details, details...

To identify sup_g, the Bureau first turned to the voluminous chat logs stored on Sabu's computer. They went through every comment that could be plausibly linked to sup_g or one of his aliases. The goal was to see if the hacker had slipped up at any point and revealed some personal information.

He had. On August 29, 2011 at 8:37 AM, "burn" said in an IRC channel that "some comrades of mine were arrested in St. Louis a few weeks ago... for midwestrising tar sands work." If accurate, this might place "burn" in the Midwest. FBI Chicago agents were able to confirm that an event called Midwest Rising was attended by Chicago resident Jeremy Hammond's twin brother. (Hammond had a history with anarchism and violent protest.)

"Anarchaos" once let slip that he had been arrested in 2004 for protesting at the Republican National Convention in New York City. Much later, "yohoho" noted that he hadn't been to New York "since the RNC," nicely tying both online handles to the same person. The FBI went to New York City police and obtained a list of every individual detained at the 2004 convention; they learned that Jeremy Hammond had in fact been detained, though he had not been arrested. The pieces were starting to fit.

A captured portion of an IRC chat about using stolen credit cards to pay for new servers

"Sup_g" and "burn" both indicated later that they had spent time in prison, with “burn” indicating that he had been at a federal penitentiary. A search of Hammond's criminal records revealed that he had been arrested in March 2005 by the Chicago FBI and had pled guilty to hacking into a “politically conservative website and stealing its computer database, including credit card information,” according to an FBI affidavit. Hammond was sentenced to two years in prison for the action.

Before this 2005 arrest, Hammond had allegedly told friends in Chicago that he intended to use the credit card information from the hack to “make donations to liberal organizations.” Though he did not do so at the time, the idea matched up with the "lulzxmas" plan to distribute gifts and cash using stolen cards from Stratfor.

In yet another chat, "Anarchaos" told Sabu that he had once spent a few weeks in a county jail for possession of marijuana. He also asked Sabu not to tell anybody, “cause it could compromise my identity," and he noted that he was on probation. Both matched Hammond, who was placed on probation in November 2010 after a violent protest against the Olympics coming to Chicago. When the FBI ran a criminal history check on Hammond, it also revealed two arrests for marijuana possession.

The FBI was so thorough that it even followed up on a "POW" comment saying "dumpster diving is all good i'm a freegan goddess." ("Freegans" scavenge unspoiled, wasted food from the trash of grocery stores and restaurants.) The FBI went to Chicago authorities, who had put Hammond under surveillance when they were investigating him back in 2005. As part of that earlier surveillance, “agents have seen Hammond going into dumpsters to get food.”

Now that they had a suspect, it was time to put him under surveillance.

102 Reader Comments

My first question when I read the title of this article was whether the guy used Tor. Sure enough he did. My second question was whether they had (finally) cracked Tor. Turns out they didn't.

For all the people who say Tor isn't safe, it is worth pointing out that after eight years of public operation, not a single documented case exists where someone was deanonymized by a *technical* attack on the network*. Even here, despite the fact that this guy was a high value target and lots of resources were spent going after him, he was only discovered through traditional police work, because he ran his mouth too much.

*People have been deanonymized in other ways. If you tell someone your name, or post a picture of yourself (or a famous landmark in your town), or log into an account that you have accessed directly with your IP address, or (as in this case) give out too many details about yourself, there is nothing Tor can do for you.

And to all of you who complain that the government focuses too much on one group instead of another: the only true way that they could be perfectly fair is if they were perfect (not ever going to happen) or if they did nothing (I hope will never happen). Please complement them once in a while, okay!?

"Now, those beliefs could land him in serious trouble."No, his criminal actions have landed him in serious trouble. I hope this guy gets at least 10 years in Federal pound-me-in-the-ass prison.

Holy shit, we actually got to page 2 of the comments before someone makes the blindingly shitheaded anal rape joke. Maybe the front page comments are actually improving? Of course, it's comparing one short bus full of retards to the next, but hey.. small wins.

I wonder if Anonymous is going to be able to respond to all of this other than with disjointed threats and unsuccessful "attacks." It seems like the .gov has finally shown their hand; Sabu was under their control for over half a year, so anything traceable to what he would know is compromised, plus several degrees beyond, plus several degrees of separation, just to be safe.

It's been a fun ride, and I appreciate Ars's detailed coverage of it all. I fear that we're not going to hear much about high profile hacks by people affiliated with Anonymous anymore. They will either be driven back underground after realizing that public gloating ends in incarceration, or the affiliations will stop even if the media continues to paint every single DDoS or security breach as being by "Anonymous."

It's been a fun ride, and I appreciate Ars's detailed coverage of it all. I fear that we're not going to hear much about high profile hacks by people affiliated with Anonymous anymore. They will either be driven back underground after realizing that public gloating ends in incarceration, or the affiliations will stop even if the media continues to paint every single DDoS or security breach as being by "Anonymous."

Yeah and my heart bleeds peanut butter for those jerks.

Instead of being driven underground, how about they actually do something constructive for a change? Then they won't have to hide behind their cowardly cloak of anonymity and they needn't fear arrest and prosecution.

"Now, those beliefs could land him in serious trouble."No, his criminal actions have landed him in serious trouble. I hope this guy gets at least 10 years in Federal pound-me-in-the-ass prison.

Holy shit, we actually got to page 2 of the comments before someone makes the blindingly shitheaded anal rape joke. Maybe the front page comments are actually improving? Of course, it's comparing one short bus full of retards to the next, but hey.. small wins.

Holy shit, we actually got halfway through page 2 of the comments before someone made a despicably casual ableist joke? Maybe the assholes who make fun of the mentally disabled are losing their touch? Of course, such "jokes" are absolutely terrible no matter when they're made, but hey... small losses for humanity.

Overall, a good story, but one must assume that the FBI already suspected Hammond of being sup_g prior to his slip-up:

Quote:

On August 29, 2011 at 8:37 AM, "burn" said in an IRC channel that "some comrades of mine were arrested in St. Louis a few weeks ago... for midwestrising tar sands work." If accurate, this might place "burn" in the Midwest. FBI Chicago agents were able to confirm that an event called Midwest Rising was attended by Hammond's twin brother.

Anyone who attended Midwest Rising and had been arrested could have been sup_g's friend. Unless they already suspected Hammond, his brother's attendance would have been no more interesting than any other person's attendance. Many people with good hacking skills could have had friends arrested there.

There must have been a smaller set of suspects that various FBI offices were trying to track down.

The FBI complaint provides rather weak evidence that Hammond is sup_g or the other aliases. The evidence presented is consistent with Hammond being sup_g but the number of coincidences of Hammond's entry or exit and CW's contact with sup_g or other aliases is pretty limited.

I noticed this error too and suspect it to be a foul-up on the par of the article author, that is, he's scrambled his narrative a bit by introducing sup_g's real name before demonstrating the complete line of evidence that led to him. Note that this is where the article first mentions him, and does it using only his last name, rather than his entire name and explicitly linking it to sup_g, which is not good for reader clarity. My guess is that the FBI simply used the info referenced as their starting point to begin building an identity for sup_g.

I have to agree with telekinesis the fbi hardly covered themselves in glory with this when they have yet to prosecute a single rich banker. But if you are a dreadlocked hater of holocaust deniers you will face the full force of the law.

I thought it was SEC and the USSS who specialized in financial crimes, not the FBI?

Like the last thread he crapped in, I must ask you to stop clearing the waters with facts, dammit!

(that being said, it depends a lot on the crimes. The ones most people are complaining about though are under the purview of the SEC.)

pov3rty wrote:

blum wrote:

jonnybond wrote:

I have to agree with telekinesis the fbi hardly covered themselves in glory with this when they have yet to prosecute a single rich banker. But if you are a dreadlocked hater of holocaust deniers you will face the full force of the law.

I thought it was SEC and the USSS who specialized in financial crimes, not the FBI?

Edit: And another thing... haven't these guys ever heard of misinformation? Pretend to be a girl from california if you live in chi. wtf.

Lol.

AceNyne wrote:

YourConscience wrote:

d_jedi wrote:

"Now, those beliefs could land him in serious trouble."No, his criminal actions have landed him in serious trouble. I hope this guy gets at least 10 years in Federal pound-me-in-the-ass prison.

Holy shit, we actually got to page 2 of the comments before someone makes the blindingly shitheaded anal rape joke. Maybe the front page comments are actually improving? Of course, it's comparing one short bus full of retards to the next, but hey.. small wins.

Holy shit, we actually got halfway through page 2 of the comments before someone made a despicably casual ableist joke? Maybe the assholes who make fun of the mentally disabled are losing their touch? Of course, such "jokes" are absolutely terrible no matter when they're made, but hey... small losses for humanity.

A. I feel for the poor sap that had to read through all those chat logs... ugh...

B. Is this just another example of law enforcement going after low-hanging fruit?

C. There are other criminals who are much more dangerous to society right? But how many other criminals piss law enforcement off the way these folks do? I mean, Wall Street bankers don't get all cocky about their blatant cheese like hackers do ;) Here in Chicago it's a war in certain neighborhoods. There's more people getting shot here on a daily basis than in Afghanistan. This is really their priority? (I realize that FBI is national not local).

A. I feel for the poor sap that had to read through all those chat logs... ugh...

That's a good point. Jesus, can you imagine having to go through those things in detail? It's not like you can turn off your brain and just read it...you have to constantly be thinking if a statement is worthy of further investigation. It's not like it's coherently phrased, either.

Will there be any recompense for the individuals and/or corporations that had been damaged by these buttholes while under the FBI's watch? If it's true that the FBI even provided the hardware to facilitate some of these activities while monitoring everything and did nothing until well after the damage had been done, then are they not complicit in the crimes against those people? Just because they are gathering information on the perps as part of an on-going investigation doesn't mean they should be allowed to burn everything and everyone in their path to get that information.

I'm glad they got the guys, but something stinks about the deal in that they knowingly allowed damage to continue unabated for as long as they did and even helped their cause by providing hardware to do so. IMHO, the victims should be compensated for damages incurred while the perps were under the FBI's observation/assistance.

It feels an awful lot like this hypothetical scenario:

"Here's a gun... Now go round up your friends (no need to just tell us who they are right now), rob that bank over there, and take this car to get away. When you get home, spend the money however you want. After we figure out who your friends are, we'll come pick them up."

What are the feds gonna do for the bank that had their building shot-up in the process and for the folks that had their safety deposit boxes looted in this scenario? Nothing? Would the bank, bank patrons, and/or any insurance companies involved have to file some kind of lawsuit on their own against these guys (the hackers and/or the feds) to get any kind of compensation for damages?

Sounds like the FBI did due diligence. I can't imagine they'll stop here--use him to move up the chain and all. He may not know anyone else's name but I'll bet he has plenty of good hints/starting points for 5-0.

Why is it that anytime one of these cowards is busted, the rats come out of the woodwork to defend him?

Not sure some folks are defending him, so much as they're voicing their frustration about big business almost destroying our financial system, and none of them end up prosecuted, but the FBI was hot-n-bothered to bust guys like this.

Justice is supposed to be blind and fair. It's hard to feel it's being doled out evenly and fairly when idiots like this are pulled in while idiots in charge of our financial demise are sitting around with bonuses in their hands.

My first question when I read the title of this article was whether the guy used Tor. Sure enough he did. My second question was whether they had (finally) cracked Tor. Turns out they didn't.

For all the people who say Tor isn't safe, it is worth pointing out that after eight years of public operation, not a single documented case exists where someone was deanonymized by a *technical* attack on the network*. Even here, despite the fact that this guy was a high value target and lots of resources were spent going after him, he was only discovered through traditional police work, because he ran his mouth too much.

*People have been deanonymized in other ways. If you tell someone your name, or post a picture of yourself (or a famous landmark in your town), or log into an account that you have accessed directly with your IP address, or (as in this case) give out too many details about yourself, there is nothing Tor can do for you.

Not to get all conspirital or anything, but this does not demonstrate that Tor is safe or unsafe. At the very least it demonstrates that using Tor at all is a red flag(they mentioned using it to confirm someone was conducting potentially illicit activities online by watching traffic). However if they had cracked Tor, why would they reveal it if they didn't have to? Use it to gather information, then use that information to 'catch' someone in another situation that they can claim led them to the person. There is no reason to announce you have cracked it unless you absolutely have to, and if you have cracked it you should be able to conduct enough surveillance to avoid admitting anything.

Interesting how the article ends..."Now, those beliefs could land him in serious trouble."Does that mean it "pays" being a passive consumer existing only to advance the cause of futile consumption wile white collar people rob us blind? --> this is for the "goody - goodies" of society to answer.

You're an idiot. These folks not only caused damage to numerous large and small business, they broke scores of federal laws, they attacked a variety of govt web sites, and they directly attacked the FBI, CIA, and Congress' web sites.

They were BEGGING to be hunted down, charged, and imprisoned. You don't get to publicly and brazenly attack the Federal govt AND corporate America and just get away with it.

@Meta4 My thoughts too.Another thing: Hammond used TOR, and the FBI could tell this from the ip-addresses of entry-nodes that his laptop used. That is quite a dead give-away.This makes me wondering:If ISPs and the FBIcan simply scan traffic for ip addresses of TOR nodes, what good is using TOR anyway?You will only draw attention to yourself.

Also, this guy actually did illegal stuff, and the police had to go through the trouble to gather evidence and could not simply arrest him for using TOR.

Not so in, say, Iran. A political activist there using TOR might just as well put a flashing neon sign on his front door saying: "Dissident living here". The secret police need not gather any evidence: they can just scan for TOR traffic and round up any using it. I don't get it, what good is TOR for anyway?

Clearly a better anonymizing network is needed. One where you cannot detect that a message is being sent at all, unless you have the proper key. Maybe a steganographic addition to a camera feed that is always on; the data portion is not different from noise. Also, you have to have a valid reason to connect to many other internet users, instead of only to `official´ websites like the new york times. If connect to many other normal users, why? You stand out. Maybe you can hide your connection inside traffic of a peer-to-peer backup program. Or maybe a mutual service where people keep continually stream surveilance camera feeds to each other, or weather station data, in order to keep the last 24 hours, of course ssl encrypted. Something like that. It has to be very popular though, to be able to hide in numbers.

Anyway, Anonymous, if you are listening, you should really stop attacking the US government and FBI and such, and start building such networks. For their own benefit initially, and furthermore (and this should be the main reason) to help actual oppressed people in Iran, Syria, China and wherever. Hillary Clinton actually _asked_ for this! As a nice side-effect, a truly undetectable darknet in use by large parts of the population would be very useful for file-sharing as well. This would make the darknet popular, thereby providing the cover in numbers. Just implement a redundant distributed filesystem on top of it, and on top of that a library with all the worlds music and movies. This would be a decisive blow against the RIAA and MPAA however, so to avoid all-out war with them, there should be a micro-payment system to support a pay-per-use system. There needs to be a deal negotiated with them along the following lines: you pay a flat fee per month, anonymously of course. Some reasonable amount, say 20 dollars. This is divided and payed out each month by ratio of usage time for each rightholder. So, 10 hours of watching LOST, and 10 hours of Michael Jackson: 10 dollars to each. (Imagine the confusion of the MPAA when anonymous micropayments start rolling in.)

So you have a darknet made popular by filesharers. Nobody can prove or even see who is sharing what to whom; its all a distributed filesystem and traffic is encrypted. All traffic is furthermore for apparently legal reasons: people use it for offsite backup, offsite surveilance feeds, whatever. The traffic you want to hide is encrypted and stegonagraphically entangled with this data. You get the RIAA and MPAA off your back, eventually at least, because they actually get _paid_! And not only them, but also the small indy artists and rightholders get paid.

Anyway, I hope you Anonymous people start doing something constructing like this, and avoid getting more of you arrested and put in jail for many years, because the world actually needs the hackers.

@Meta4 My thoughts too.Another thing: Hammond used TOR, and the FBI could tell this from the ip-addresses of entry-nodes that his laptop used. That is quite a dead give-away.This makes me wondering:If ISPs and the FBIcan simply scan traffic for ip addresses of TOR nodes, what good is using TOR anyway?You will only draw attention to yourself.

Also, this guy actually did illegal stuff, and the police had to go through the trouble to gather evidence and could not simply arrest him for using TOR.

Not so in, say, Iran. A political activist there using TOR might just as well put a flashing neon sign on his front door saying: "Dissident living here". The secret police need not gather any evidence: they can just scan for TOR traffic and round up any using it. I don't get it, what good is TOR for anyway?

Clearly a better anonymizing network is needed. One where you cannot detect that a message is being sent at all, unless you have the proper key. Maybe a steganographic addition to a camera feed that is always on; the data portion is not different from noise. Also, you have to have a valid reason to connect to many other internet users, instead of only to `official´ websites like the new york times. If connect to many other normal users, why? You stand out. Maybe you can hide your connection inside traffic of a peer-to-peer backup program. Or maybe a mutual service where people keep continually stream surveilance camera feeds to each other, or weather station data, in order to keep the last 24 hours, of course ssl encrypted. Something like that. It has to be very popular though, to be able to hide in numbers.

Anyway, Anonymous, if you are listening, you should really stop attacking the US government and FBI and such, and start building such networks. For their own benefit initially, and furthermore (and this should be the main reason) to help actual oppressed people in Iran, Syria, China and wherever. Hillary Clinton actually _asked_ for this! As a nice side-effect, a truly undetectable darknet in use by large parts of the population would be very useful for file-sharing as well. This would make the darknet popular, thereby providing the cover in numbers. Just implement a redundant distributed filesystem on top of it, and on top of that a library with all the worlds music and movies. This would be a decisive blow against the RIAA and MPAA however, so to avoid all-out war with them, there should be a micro-payment system to support a pay-per-use system. There needs to be a deal negotiated with them along the following lines: you pay a flat fee per month, anonymously of course. Some reasonable amount, say 20 dollars. This is divided and payed out each month by ratio of usage time for each rightholder. So, 10 hours of watching LOST, and 10 hours of Michael Jackson: 10 dollars to each. (Imagine the confusion of the MPAA when anonymous micropayments start rolling in.)

So you have a darknet made popular by filesharers. Nobody can prove or even see who is sharing what to whom; its all a distributed filesystem and traffic is encrypted. All traffic is furthermore for apparently legal reasons: people use it for offsite backup, offsite surveilance feeds, whatever. The traffic you want to hide is encrypted and stegonagraphically entangled with this data. You get the RIAA and MPAA off your back, eventually at least, because they actually get _paid_! And not only them, but also the small indy artists and rightholders get paid.

Anyway, I hope you Anonymous people start doing something constructing like this, and avoid getting more of you arrested and put in jail for many years, because the world actually needs the hackers.

Nobody with Anonymous has the skills to do what you ask for. It is not trivial.

You're an idiot. These folks not only caused damage to numerous large and small business, they broke scores of federal laws, they attacked a variety of govt web sites, and they directly attacked the FBI, CIA, and Congress' web sites.

They were BEGGING to be hunted down, charged, and imprisoned. You don't get to publicly and brazenly attack the Federal govt AND corporate America and just get away with it.

Yet, do they really deserve a life sentence in prison for this? Which is what the FBI is trying to stick to this Hammond: 124 years. One could rape, kill and then eat someone and still not get such a punishment. Well, ok, in some states there is the death penalty, but in most states even murderers will come out of prison eventually. Unless they were exceptionally cruel, their victims were children or very numerous.